Monday, 3 February 2014

Coding error on hundreds of NHS sites redirects users to dodgy pages

nhs
Hundreds of NHS websites have been redirecting web users to pages hosting advertising or malware, due to a "coding error".
The issue was first reported by a user of the Reddit forums called Muzzers, who reported more than 800 URLs affected by the issue, and posted a list on Pastebin.
“While attempting to access flu shot information I stumbled upon a page which redirected me to an advertisement. Digging a bit deeper I found hundreds more pages which redirect to either an advertisement or malware infested page,” Muzzers wrote.
"It seems that many pages include these malicious script tags, which then kicks off the whole ordeal. Hiding the script under a malicious URL Googleaspis.com instead of a valid Googleapis.com."
The URLs affected were managed by the NHS Choices department, and in a statement sent to V3 it explained a coding error had caused the issues.
“An internal coding error has caused an incorrect re-direct on some pages on NHS Choices since Sunday evening," the statement said.
"Routine security checks alerted us to this problem on Monday morning at which point we identified the problem and corrected the code."
The update is now underway and should sort the problem by Monday afternoon. A full review of the incident will then take place.
The statement added: “We can confirm that this problem has arisen due to an internal coding error and that NHS Choices has not been maliciously attacked.
“NHS Choices is treating this issue with urgency and once resolved we plan to undertake a thorough and detailed analysis to ensure that a full code review is undertaken and steps put in place to ensure no reoccurrence."
The incident underlines the perils of software and coding updates, with Natwest hitting the headlines in 2012 when a botched update knocked systems offline for several hours.

No comments:

Post a Comment